: The tools '''ewfacquire''' and '''ewfacquiresteam''' are part of the [[libewf]] library package. They can create evidence files in the [[EnCase]] and [[FTK Imager]] .E0* (EWF-E01) and [[SMART]] .s0* (EWF-S01) formats. '''ewfacquire''' is intended to read from devices and '''ewfacquirestream''' from pipes. Both tools calculate an [[MD5]] hash on default while the data is being acquired. They are able to calculate a [[SHA1]] message digest as well, but because of compatibility with [[EnCase]] they only store the [[SHA1]] hash in the Extended EWF (EWF-X) format. '''ewfacquire''' and '''ewfacquirestream''' provide support for byte swapping of media bytes. This is useful for dealing with big endian media on and little endian architectures and vice versa. It also has intelligent error recovery.

: The tools '''ewfacquire''' and '''ewfacquiresteam''' are part of the [[libewf]] library package. They can create evidence files in the [[EnCase]] and [[FTK Imager]] .E0* (EWF-E01) and [[SMART]] .s0* (EWF-S01) formats. '''ewfacquire''' is intended to read from devices and '''ewfacquirestream''' from pipes. Both tools calculate an [[MD5]] hash on default while the data is being acquired. They are able to calculate a [[SHA1]] message digest as well, but because of compatibility with [[EnCase]] they only store the [[SHA1]] hash in the Extended EWF (EWF-X) format. '''ewfacquire''' and '''ewfacquirestream''' provide support for byte swapping of media bytes. This is useful for dealing with big endian media on and little endian architectures and vice versa. It also has intelligent error recovery.

−

: [[libewf]]

+

: [[libewf|https://code.google.com/p/libewf/]]

; [[Adepto]]

; [[Adepto]]

Revision as of 01:33, 15 July 2013

Note: We're trying to use the same tool template for all devices. Please use this if possible.

TODO: Not all of the following are tools, most are simply company names. The tools should have their own articles...

Unix-based imagers

ewfacquire, ewfacquirestream

The tools ewfacquire and ewfacquiresteam are part of the libewf library package. They can create evidence files in the EnCase and FTK Imager .E0* (EWF-E01) and SMART .s0* (EWF-S01) formats. ewfacquire is intended to read from devices and ewfacquirestream from pipes. Both tools calculate an MD5 hash on default while the data is being acquired. They are able to calculate a SHA1 message digest as well, but because of compatibility with EnCase they only store the SHA1 hash in the Extended EWF (EWF-X) format. ewfacquire and ewfacquirestream provide support for byte swapping of media bytes. This is useful for dealing with big endian media on and little endian architectures and vice versa. It also has intelligent error recovery.

Part of the AFF system, aimage can create files is raw, AFF, AFD, or AFM formats. AFF and AFD formats can be compressed or uncompressed. aimage can optionally compress and calculate MD5 or SHA-1 hash residues while the data is being copied. It has intelligent error recovery, similar to what is in ddrescue.

A program that converts and copies files, is one of the oldest Unix programs. I can copy data from any Unix "file" (including a raw partition) to any other Unix "file" (including a disk file or a raw partition). This is one of the oldest of the imaging tools, and produces raw image files. Extended into dcfldd.